b' Office of Inspector General\n     Audit Report\n\n\n\n DOT DOES NOT HAVE AN EFFECTIVE\nENTERPRISE ARCHITECTURE PROGRAM\n FOR MANAGEMENT OF INFORMATION\n      TECHNOLOGY CHANGES\n\n       Department of Transportation\n\n\n        Report Number: FI-2012-086\n        Date Issued: April 17, 2012\n\x0c           U.S. Department of\n                                                               Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: DOT Does Not Have an Effective                                       Date:    April 17, 2012\n           Enterprise Architecture for the Management of\n           Information Technology Changes\n           Report Number: FI-2012-086\n\n  From:    Louis King                                                                Reply to\n                                                                                     Attn. of:   JA\xe2\x80\x9320\n           Assistant Inspector General for Financial and\n              Information Technology Audits\n\n    To:    Chief Information Officer\n\n           With approximately $3 billion in annual expenditures, and reliance on about 400\n           information technology (IT) systems to conduct business and meet its missions,\n           the Department of Transportation (DOT) has one of the largest IT investments in\n           the Federal Government. Under the Clinger-Cohen Act,1 each Federal department\n           must implement a management framework that ultimately reduces its IT\n           expenditures through investments in projects with reasonable costs and solid\n           management of acquisition risks. This framework\xe2\x80\x94commonly referred to as an\n           \xe2\x80\x9centerprise architecture\xe2\x80\x9d (EA)\xe2\x80\x94describes both a department\xe2\x80\x99s current state of IT\n           operations (the baseline architecture) as well as the future state of these operations\n           after the implementation of improvements (the target architecture). This\n           framework also includes a transition plan to move from the baseline to the target\n           architecture. The purpose of EA is to save costs, reduce duplication of systems,\n           align information technology to agency missions, and maximize benefits of\n           security investments.\n\n           DOT has expended approximately $48 million on EA, and for fiscal year 2011 and\n           beyond, has requested an additional $25 million.2 In 2006, the Government\n           Accountability Office (GAO) reported3 that DOT\xe2\x80\x99s EA efforts suffer from a lack\n           of commitment and departmental oversight. To obtain a view of the Department\xe2\x80\x99s\n           current EA program, we conducted this review. Specifically, our objectives were\n\n           1\n               Clinger-Cohen Act (formerly the Information Technology Management Reform Act), Pub. L. No. 104-106 (1996);\n               codified at 40 U.S.C. \xc2\xa7 11101, et seq. (2011).\n           2\n               Exhibit B provides a summary of DOT\xe2\x80\x99s EA funding by component.\n           3\n               GAO, Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation,\n               GAO-06-831 (Washington, DC: August 2006).\n\x0c                                                                                 2\n\n\nto determine whether DOT has (1) an effective program for the development and\noversight of a Departmentwide EA; and (2) established procedures for the\nassessment of EA activities.\n\nTo accomplish our objectives, we met with the Department and the components\xe2\x80\x99\nChief Information Officers (CIO), and EA and capital planning and investment\ncontrol (CPIC) representatives to determine the history of DOT\xe2\x80\x99s EA\nimplementation and the status of each component\xe2\x80\x99s EA. In this report,\n\xe2\x80\x9ccomponents\xe2\x80\x9d refers to the Department\xe2\x80\x99s ten Operating Administrations as well as\nthe Office of the Secretary (OST), the Office of the Inspector General (OIG), and\nthe Surface Transportation Board (STB). We reviewed and analyzed documents\non components\xe2\x80\x99 systems, current EA architectures, and relevant policies and\nprocedures. We also reviewed OIG and GAO reports. We conducted this audit\nbetween February 2011 and February 2012 in accordance with generally accepted\nGovernment auditing standards. A detailed description of the scope and\nmethodology used on this audit can be found in Exhibit A.\n\nRESULTS IN BRIEF\n\nDOT does not have a Departmentwide EA program, as required by Clinger-\nCohen. In 2000, DOT assigned authority for EA development to its components,\nbut never planned for the integration of the components\xe2\x80\x99 EAs into a single,\nDepartmentwide EA. Furthermore, the components\xe2\x80\x99 EA programs are incomplete.\nFor example, the components have not completed their EA policies, procedures,\nand baseline architectures. The lack of comprehensive policies and procedures at\nboth the Department and component levels and the variations in the components\xe2\x80\x99\nEAs increase the likelihood that the components\xe2\x80\x99 EAs cannot be easily integrated\ninto a Departmentwide EA. In response to an OMB request for the status of\nDOT\xe2\x80\x99s EA program, the Department recently established a repository for\ncomponent EA information. However, the Department has not provided direction\non what information components should provide. As a result, the incomplete\nrepository contributes to difficulties in information sharing and identification of\nredundancies, and limits the reuse of resources\xe2\x80\x94primary objectives of an EA\nprogram. Finally, because most components have not included security costs in\ntheir EA programs, as required by the Federal Information Security Management\nAct (FISMA), DOT cannot effectively manage IT security funding. DOT and\ncomponent officials attributed these deficiencies to personnel losses and the\ndissolution of the departmental EA program office, among other things. In 2009,\nDOT hired a Chief Architect, but to date, no staff have been hired to execute and\nmanage an EA program.\n\nDOT does not have procedures for Departmentwide EA assessment, and\nconsequently, cannot measure the status and progress of its components\xe2\x80\x99 EAs.\n\x0c                                                                                                                   3\n\n\nOMB\xe2\x80\x99s guidance states that each Department should measure its EA activities\nagainst quality standards, and that, in order for management to benefit from EA,\neach department should regularly report EA quality measurements to appropriate\nofficials. However, the Department\xe2\x80\x99s CIO has not developed a program to monitor\nEA activities and does not require components to report EA performance\nmeasures, their plans for improvements to EA programs, or cost savings achieved.\nStill, in response to a 2011 GAO data request,4 DOT reported that it had saved\napproximately $83 million in fiscal year 2009 as a result of its EA. However, DOT\nofficials could not produce any evidence of these savings or show how they were\ncalculated. Other than FAA\xe2\x80\x99s non-National Airspace System (NAS), the\ncomponents do not use EA measurement programs. Of the five components that\nhave procedures to address performance measures, only one could provide\nevidence of implementation. This lack of Departmentwide performance\nmeasurements and accountability inhibits DOT\xe2\x80\x99s ability to measure EA\xe2\x80\x99s benefits\nfor its decision-makers, and reduce costs in its IT investments.\n\nWe are making a series of recommendations to assist the Department in its\nestablishment of an effective Departmentwide enterprise architecture program.\n\nBACKGROUND\n\nIn 1996, Congress enacted the Clinger-Cohen Act to address longstanding\nproblems related to Federal IT management. Clinger-Cohen requires the head of\neach Federal agency to establish a process that maximizes the value of IT\ninvestments, and assesses and manages the risks of IT acquisitions. Under the Act,\nagencies must implement IT projects that contribute to tangible and observable\nimprovements in agencies\xe2\x80\x99 missions at acceptable costs and within reasonable\ntimeframes.\n\nClinger-Cohen also requires each agency\xe2\x80\x99s CIO to develop, facilitate the\nimplementation of, and maintain an agency-wide EA program that integrates\nagency business processes with agency goals. These EA programs are to establish\nbaseline and target architectures, and transition plans for program management\nand investment decisions. Sections 53 and 300 of OMB Circular A-11,\n\xe2\x80\x9cPreparation, Submission, and Execution of the Budget,\xe2\x80\x9d and Circular A-130,\n\xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d establish policy for the\nmanagement of Federal information resources, and require Federal agencies to\nalign their IT investments to their EAs.\n\n\n\n4\n    In 2011, GAO initiated a survey of Federal departments and agencies\xe2\x80\x99 efforts to measure and report EA results and\n    outcomes. Subsequently, and in response to a congressional mandate, GAO announced a Governmentwide\n    engagement on EA results and outcomes.\n\x0c                                                                                                                     4\n\n\nIn September 1999, the Federal CIO Council5 published the Federal Enterprise\nArchitecture Framework (FEAF)6 to provide Federal agencies with a common\nconstruct for their architectures, and facilitate the coordination of system\ninvestments among Federal agencies. A FEAF model describes an agency\xe2\x80\x99s\nbusiness, the data necessary to conduct the business, applications to manage the\ndata, technology to support the applications, and security measures that ensure the\nprotection of information resources. In August 2010, GAO issued A Framework\nfor Assessing and Improving EA Management (Version 2.0), an update of a 2003\nversion. In June 2009, OMB issued Enterprise Architecture Framework v 3.1.\n\nDevelopment and implementation of an EA require rigorous, disciplined\nmanagement practices and maintenance that ensures that the EA is always\naccurate. Regular assessments are necessary to keep an EA aligned with its\ndepartment\xe2\x80\x99s strategic missions and priorities, changing business practices,\nfunding profiles, and new technologies. According to OMB and the Federal CIO\nCouncil,7 an effective EA program consists of a number of important elements,8\nincluding a governance structure, departmentwide policy, and management plans.\nThe guidance for Federal departments from these two agencies and GAO on EA\nmanagement practices provides end-to-end processes for an EA program\xe2\x80\x99s\ndevelopment, implementation, and maintenance, including:\n\n      \xef\x82\xb7 initiation and organization;\n      \xef\x82\xb7 needed management controls;\n      \xef\x82\xb7 factors that go into decisions on EA development;\n      \xef\x82\xb7 steps for the definition of current and target architectures and a plan for\n        transition from the current to the target;\n      \xef\x82\xb7 how to ensure that the EA is implemented and enforced; and\n      \xef\x82\xb7 how to systematically keep the EA current.\n\nRegular assessment of a departmentwide EA program requires a repository for the\nstorage of EA-related information from the department\xe2\x80\x99s components, such as\nsummaries of IT investment portfolios, metrics for investment performance, data\nfrom IT applications, and plans for security maintenance. This repository stores\nthe information in a readily retrievable form. It may be as simple as a shared\ndirectory with department EA artifacts, or it may include databases, web portals or\n\n5\n    The CIO Council is the principal interagency forum on the improvement of agency practices related to use of Federal\n    information resources.\n6\n    A framework and high-level process that is not prescriptive, but that provides a method for the implementation of\n    EA in a uniform way. FEAF includes requirements for change drivers\xe2\x80\x94business needs, such as new missions or\n    assumption of large plans, and technical needs, such as unsupported platforms or obsolesce.\n7\n    Federal CIO Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001).\n8\n    These elements are encapsulated in GAO\xe2\x80\x99s EA framework, which defines 59 elements and practices critical to an\n    effective program (GAO, A Framework for Assessing and Improving Enterprise Architecture Management (Version\n    2.0), GAO-10-846G (Washington, DC: August 2010)).\n\x0c                                                                                                            5\n\n\nEA-specific modeling tools. The repository also facilitates information sharing\namong components so they can avoid redundancies in their IT applications and\nsystems.\n\nDOT DOES NOT HAVE A DEPARTMENTWIDE EA PROGRAM\n\nDOT does not have a Departmentwide EA program. Instead, DOT has assigned\nauthority for EA development to its components, but has no plan to integrate their\nindividual EA programs into a Departmentwide program. However, the\ncomponents\xe2\x80\x99 EA programs are incomplete. Specifically, they have not finalized\ntheir EA policies and guidance, completed or updated baseline architectures, or\ndefined target architectures. Furthermore, the components have not integrated their\nprograms with their IT investment practices. In March 2011, in response to an\nOMB request for information on EA development status, DOT established a\nrepository for EA information, but has not yet defined what information the\ncomponents must provide. Most of the components also have not included security\nin their EA programs, and none could support their security funding requests.\n\nDOT\xe2\x80\x99s EA Policies and Procedures Are Outdated and Incomplete\n\nDOT does not have a Departmentwide EA program and lacks adequate policy and\nprocedures to develop an EA. Clinger-Cohen requires an EA program and OMB\nrequires related policies and procedures. DOT\xe2\x80\x99s current EA policy9 outlines roles\nand responsibilities for components\xe2\x80\x99 compliance, but it is outdated and does not\ncover all of the elements specified by OMB. For example, the policy references\nDOT offices that no longer exist but that have not been replaced. Furthermore, the\npolicy does not address metrics that measure the progress in an EA\xe2\x80\x99s development,\nintegration, and use over time.\n\nThe Department\xe2\x80\x99s EA procedures, entitled Integrated Program Planning and\nManagement Governance and Practitioners Guides (IPPM), dated March 2010, is\nalso deficient since it does not incorporate all of OMB\xe2\x80\x99s requirements and lacks\nthe necessary detail for execution. For example, the procedures do not address the\nalignment of EA to IT investments or address the interoperability of existing\nsystems. Furthermore, they do not specify the people, processes, and tools\nnecessary to implement a program.\n\nWhen it began EA planning in early 2000, DOT assigned authority to the\nindividual components for development of EA programs, but never planned for the\nintegration of the components\xe2\x80\x99 EAs into a single, Departmentwide EA. We found\nthat the components have made some progress in the groundwork for their\n\n9\n    DOT Order 1351.27; Chief Information Officer Policy (CIOP) Chapter 1351.27, dated September 25, 2009.\n\x0c                                                                                   6\n\n\nindividual programs, but their EAs remain mostly incomplete. For example, the\ncomponents have completed only 2 of the 59 core elements of GAO\xe2\x80\x99s EA\nFramework. These core elements are the building blocks of EA management. The\ncompletion of the activities described in the elements will enable management to\nmature its EA program and maximize achievement of EA benefits. Exhibit C\npresents DOT\xe2\x80\x99s progress in completion of the activities described by each element\nin GAO\xe2\x80\x99s Framework, and identifies areas that remain deficient or have not been\naddressed. These deficient areas include incomplete policies, procedures, and\nbaseline architectures; the absence of defined target architectures; and the\nintegration of EA with IT investment practices.\n\nIn the absence of Departmentwide guidance, components have developed their\nown policies and procedures, though the majority of them have not been finalized.\nWe found that only four components\xe2\x80\x94FAA, the Federal Highway Administration\n(FHWA), the Federal Railroad Administration (FRA), and the Maritime\nAdministration (MARAD)\xe2\x80\x94have EA program policies, though the policies do not\nincorporate all OMB requirements. Furthermore, these four components\xe2\x80\x99\nprocedures are incomplete. Specifically, they do not:\n\n   \xef\x82\xb7 Have sufficient detail to enable continuous EA maintenance and oversight;\n\n   \xef\x82\xb7 Have sufficient detail to support strategic planning, EA performance\n     improvement planning, IT management, and capital planning and\n     investment control processes;\n\n   \xef\x82\xb7 Describe the generation and maintenance of EA documentation;\n\n   \xef\x82\xb7 Promote information sharing through the use of standardized data the\n     Department has adopted the National Information Exchange Model, the use\n     of which results in data formatted in a consistent manner and enables\n     information sharing; however, FHWA, FRA, and MARAD informed us\n     that they are individually developing data standards;\n\n   \xef\x82\xb7 Incorporate analysis of departmental missions into EA maintenance and IT\n     investment planning;\n\n   \xef\x82\xb7 Provide sufficient criteria for the choice of IT applications, or tools, for use\n     in EA information management; EA programs must decide what\n     applications will be used to graphically and textually capture EA\n     information; FAA and PHMSA use software specialized for EA modeling\n     while the remaining components use non-specialized software such as\n     Microsoft Word, Excel, and PowerPoint.\n\x0c                                                                                     7\n\n\nDOT and component officials reported that the Department\xe2\x80\x99s EA program has\nbeen impacted by both budget cuts and personnel losses, including the disbanding\nof the departmental EA Program Office. DOT\xe2\x80\x99s Chief Architect, hired in 2009,\ninformed us that he initiated discussion with the components on EA but has had no\nstaff to develop a comprehensive EA program. Furthermore, OCIO officials\ninformed us that the Department is reviewing EA work to determine future\ndirection, and that this review will include completing or updating the\nDepartment\xe2\x80\x99s EA policy and procedures. The Department\xe2\x80\x99s IT governance\ngroup\xe2\x80\x94the Investment Review Board\xe2\x80\x94is a key part of this process. However, it\nhas not met since February 2011.\n\nBecause of the Department and components\xe2\x80\x99 lack of comprehensive EA policies\nand procedures, the existing EA programs vary and are sometimes inadequate. As\na result, it will likely be difficult to integrate the components\xe2\x80\x99 architectures into a\nDepartmentwide EA. These inadequate policies and procedures have contributed\nto the other issues we identified.\n\nDOT Has Just Begun Collection of Components\xe2\x80\x99 Information for Its\nEA Repository\n\nUntil recently, DOT did not have a repository for EA information as required by\nOMB. An EA repository is a mechanism for the storage and retrieval of an EA\xe2\x80\x99s\ncontent. In its response to OMB\xe2\x80\x99s February 2010 request for information on\ndepartmental EA progress, DOT began to collect and maintain information on\ncomponents\xe2\x80\x99 EA programs on its SharePoint Website.10 However, this Website is\na work-in-progress and is incomplete. In the past, OCIO has had incorrect\ninformation about the status of components\xe2\x80\x99 EA development. For example, in\nMarch 2011, prior to the establishment of the repository, OCIO reported to OMB\nthat OST\xe2\x80\x99s EA for its GRANTS System, and FAA\xe2\x80\x99s EA for the NAS were\ncomplete, and reported the financial management systems\xe2\x80\x99 EA was in progress.\nHowever, it could not provide evidence to support those statements. In fact, in\nMay 2011, OST management officials informed us that they are actually still\ndeveloping EA plans for its GRANTS and financial management systems.\n\nEven though it has set up the repository, OCIO did not provide a plan for its use\nand has not defined what information it should contain. Furthermore, neither DOT\nnor its components have sufficient information to fully populate the repository.\nOMB requires a properly developed repository to support agency staff in strategic\nplanning, IT investment planning, and system life cycle development. Because\nDOT has delegated authority for EA development to its components, the\ninformation for the repository must come from the components\xe2\x80\x99 programs.\n\n10\n     FAA uses its Knowledge Services Network Website.\n\x0c                                                                                                        8\n\n\nHowever, the components have made limited progress in the development of their\nbaseline architectures, have not defined their target architectures, and lack\ntransition plans. These deficiencies result in insufficient information to complete\nan EA repository which in turn impedes the Department\xe2\x80\x99s ability to use\ncomponents\xe2\x80\x99 architectures to build a Departmentwide architecture. Specifically:\n\n       \xef\x82\xb7 FHWA, the Federal Motor Carrier Safety Administration (FMCSA), the\n         Federal Transit Administration (FTA), MARAD, the National Highway\n         Traffic Safety Administration (NHTSA), OIG, OST, the Pipeline and\n         Hazardous Materials Safety Administration (PHMSA), the Research and\n         Innovative Technology Administration (RITA), and STB11 do not have up-\n         to-date baseline and target architectures and transition plans;\n\n       \xef\x82\xb7 FAA\xe2\x80\x99s NAS and non-NAS have not updated their target architectures and\n         transition plans; their EAs are also not integrated, though FAA has plans to\n         integrate them in fiscal year 2012;\n\n       \xef\x82\xb7 FRA has not properly updated its target architecture and transition plan.\n\nThe lack of a complete and effective repository contributes to poor IT investment\nplanning, inadequate system development, data that cannot be integrated or\nshared, and limited reuse of resources.\n\nThe Department Has Made Little Progress in Its Reduction of IT\nSystem Duplication and Program Redundancy\n\nIn response to a 2011 GAO survey regarding Federal EA programs, the\nDepartment reported that it has made little progress in its reduction of duplicate\napplications, use and reuse of common services and data, improvement in system\ninteroperability, and streamlining and consolidation of similar business processes.\nOMB requires the use of EA to identify duplication and opportunities for\nconsolidation and reuse of technology within and across agencies. For example,\nnine components12 each maintain and fund their own PRISM13 systems. OST\nmanagement officials informed us that the Department plans to integrate these\nsystems through business process reengineering and consolidation, but provided\nno plans for these efforts.\n\n\n\n\n11\n     The St. Lawrence Seaway Development Corporation (SLSDC) received an exemption from EA activities from\n     OCIO in March 2011.\n12\n     FAA, FHWA, FMCSA, FRA, FTA, OST, NHTSA, PHMSA, and RITA.\n13\n     An application that automates DOT\xe2\x80\x99s procurement processes, from requisition through contract award.\n\x0c                                                                                                                9\n\n\nAs GAO noted in a March 2011 testimony before Congress,14 DOT has five\ncomponents with 6,000 employees that administer over 100 programs with\nseparate funding streams for highways, transit, rail, and safety functions.\nMoreover, DOT has approximately 100 surface transportation programs alone\nwithin FTA, FMCSA, FHWA, and NHTSA that it has not reviewed for\nduplication and redundancy. An OCIO official noted that the Department\xe2\x80\x99s\nfederated approach to EA development encourages stove-piping of policies and\nprocedures at the expense of information-sharing and resource reuse. Because it\ndoes not have an integrated EA program, DOT\xe2\x80\x99s ability to identify and reduce\nduplication of systems or redundant data is limited. Consequently, the Department\nmay be operating costly duplicate systems and redundant programs.\n\nDOT and Its Components Do Not Address Information Security in\nTheir IT Investment Management and EAs\n\nNeither the Department nor the components sufficiently address IT security in\ntheir IT investment planning and management, and 12 of the 13 components have\nnot included security as part of their EA program development. FISMA and other\nstatutes and regulations require departments to integrate IT security into their\ncapital planning and EA processes. Furthermore, GAO and OMB recognize\nsecurity as one of the core elements that measure the effectiveness of EA and IT\ninvestment programs. However, the Department does not provide guidance to the\ncomponents on the inclusion of IT security in their budget submissions. For the\nestimated $44 million they requested for fiscal year 2012, the components, with\nthe exception of NHTSA, did not provide adequate information on their security\ninvestment processes or security architecture to support their projections. See\nTable 1 for details.\n\n\n\n\n14\n     Opportunities to Reduce Potential Duplication in Government Programs, Save Tax Dollars, and Enhance Revenues,\n     GAO-11-318SP (Washington, DC: March 2011).\n\x0c                                                                                                           10\n\n\nTable 1. Components\xe2\x80\x99 FY 2012 Security Funding, Investments\nProcesses, and Architecture\n                                                                           Security\n                                       Total IT                         Investment\n                                                                                    b\n                                 investment              Security         Process          Security part\n                                                                                                       c\n                                    dollars in             dollars        (Yes, No,             of EA\n                                               a                   a\n                                     millions         in millions          Partial)           (Yes, No)\n    FAA                                     203           32,427           Partial               No\n    FHWA                                     47             2,086          Partial               No\n    FMCSA                                      4            1,528          Partial               No\n    FRA                                      21               297          Partial               No\n    FTA                                      11               101           No                   No\n    MARAD                                      4                0           No                   No\n    NHTSA                                    21                58           Yes                 Yes\n    OIG                                        2              260           No                   No\n    OST                                      19             6,846           No                   No\n    PHMSA                                    11               312           No                   No\n    RITA                                     13               619           No                   No\n                                                                                                     d\n    SLSDC                                      1                0           Yes                 N/A\n    STB                                        4                0           No                   No\n        Total:                              361           44,537\na\n    Source: WorkLenz\xe2\x80\x93the Department\xe2\x80\x99s investment portfolio system\xe2\x80\x93as of March 13, 2011.\nb\n    An organization\xe2\x80\x99s approach to its selection, management, and evaluation of IT security investments.\nc\n    An organization addresses security in its EA in order to consistently address security across its business,\n    performance, information and data, applications and services, and technology architecture products.\nd\n    OCIO granted SLSDC a waiver from EA activities in March 2011.\n\nAccording to OCIO officials, the Department does not have a methodology for\nestimating, tracking, and reporting return on security investments, or the use of\nrisk analysis and return on investment to determine which security controls to\nfund. Consequently, the components use their own calculations and self-report\ntheir security funding needs to OCIO. However, we found that the components\ncould not support their calculations and OCIO did not hold the components\naccountable for the information they reported to OMB.\n\nOCIO reported that in fiscal year 2012, it will focus on policy updates,\nimplementation of practices for security cost estimations, management, reporting,\nand EA alignment, but provided no plans for these efforts. The lack of these\npolicies and practices, including a Departmentwide methodology for security\nfunding estimations, makes it difficult for the Department to manage IT security in\nsupport of its missions and business needs.\n\x0c                                                                                                                    11\n\n\nTHE DEPARTMENT HAS NOT DEVELOPED PROCEDURES FOR\nEA ACTIVITY ASSESSMENT\n\nDOT does not have procedures for EA assessment, and consequently, cannot\nmeasure the status and progress of its components\xe2\x80\x99 EAs. OMB and GAO have\nnoted that as with any investment, EA should produce benefits, or returns on\ninvestment that can be measured against costs. OMB\xe2\x80\x99s guidance states that each\ndepartment should measure its EA activities against quality standards\xe2\x80\x94metrics\ndefined in an EA development and maintenance methodology that assess an EA\nprogram\xe2\x80\x99s ability to assist management\xe2\x80\x99s decisions on IT changes and\ninvestments. OMB further states that, in order for management to benefit from an\nEA, each department should regularly report EA quality measurements to\nappropriate officials. However, DOT does not have a Departmentwide program15\nfor EA activity monitoring, and does not require components to report EA\nperformance measures, their plans for improvement of EA programs, or EA\xe2\x80\x99s cost\nsavings. Nevertheless, in its response to GAO\xe2\x80\x99s 2011 survey regarding EA\nactivities, DOT reported that it had saved an estimated $83 million in fiscal year\n2009 as a result of its EA. However, DOT could not produce any support for these\nsavings.\n\nFor the most part, the components do not have performance measurements for\ntheir EA activities. We identified the following issues in their programs:\n\n       \xef\x82\xb7 With the exception of FAA\xe2\x80\x99s non-NAS, the components did not provide\n         evidence of EA measurement procedures or practices for reports on their\n         EA programs\xe2\x80\x99 status to the Department, or plans to establish procedures;\n\n       \xef\x82\xb7 NAS\xe2\x80\x99s Chief Architect and FAA management are still developing a\n         measurement program;\n\n       \xef\x82\xb7 While FHWA, FMCSA, FTA, PHMSA, and SLSDC have finalized policies\n         and procedures that address information security performance\n         measurements, only SLSDC provided evidence of policy and procedure\n         implementation;\n\n       \xef\x82\xb7 Components\xe2\x80\x99 officials did not provide evidence that they analyze\n         departmental missions and revise mission-related processes based on those\n         analyses before they make significant IT investments in support of the\n         missions.\n\n\n15\n     The Department has initiated collection of information on IT investments for use in assessments of the investments\xe2\x80\x99\n     performance, but does not include information on EA performance.\n\x0c                                                                                 12\n\n\nThe lack of a Departmentwide performance measurement program and\naccountability inhibits DOT\xe2\x80\x99s ability to achieve costs savings and measure the\ndirect benefits of EA value to Agency decision-makers. Consequently,\nmanagement cannot track architecture development and use, or monitor the impact\nand resulting savings of EA products and services on IT and business investment\ndecisions, collaboration, and reuse.\n\nCONCLUSION\n\nDOT annually invests approximately $3 billion in IT in order to conduct business\nand meet its missions. However, the lack of a Departmentwide EA program\nseverely limits DOT\xe2\x80\x99s ability to ensure that its IT investments are properly\nplanned, selected, prioritized, justified, and cost-beneficial. Furthermore, because\nthe Department lacks assessment procedures, it cannot measure its progress\ntowards effective implementation of its IT investments to meet its missions.\nWithout a Departmentwide EA program, DOT cannot be sure that it is maximizing\nreturns on IT investments through cost savings, reduction in duplicative systems,\nalignment of information technology to mission, and effective information security\nspending\xe2\x80\x94critical requirements in an environment of scarce resources.\n\nRECOMMENDATIONS\n\nTo ensure successful completion and implementation of an enterprise architecture\nprogram, we recommend that the Department\xe2\x80\x99s Chief Information Officer, in\ncoordination with the components:\n\n   1. Develop and/or revise the Department\xe2\x80\x99s EA policy and procedures to\n      address the following:\n         a. Development, maintenance, and use of EA in the IT investment\n            process;\n         b. Incorporation of the Department\xe2\x80\x99s Governance groups into the CPIC\n            and Enterprise Architecture processes to provide oversight and\n            improved decision making relating to IT investments, including\n            security funding;\n         c. Creation of a standardized methodology that provides reliable\n            estimates of security funding needed for system investments;\n         d. Development and implementation of performance measures to gauge\n            the Department\xe2\x80\x99s application of EA, including investments in system\n            security;\n         e. Tracking and formal documentation of EA changes;\n\n   2. Assist components in the selection and implementation of compatible EA\n      tools that will facilitate the creation of a Departmentwide EA;\n\x0c                                                                               13\n\n\n\n   3. Input the required data (such as business processes, workflows, and\n      technology in use) in the selected EA tools to develop or update current and\n      future architectures and transition plans;\n\n   4. Develop and implement a Departmentwide data management practice that\n      provides a common data dictionary that reflects commonalities in data and\n      processes and provides methods for sharing information across the\n      Department;\n\n   5. Develop a process to measure components\xe2\x80\x99 EA programs\xe2\x80\x99 maturity and\n      effectiveness using key framework elements outlined in OMB\'s Enterprise\n      Architecture, and develop a plan to remediate any gaps or deficiencies\n      found;\n\n   6. Develop a plan and work with the components to identify redundancy in\n      current operations and technology use across the Department;\n\n   7. Identify and report EA performance measure results, outcomes and\n      progress to DOT\'s Governance groups and decision makers to ensure that\n      they have the proper information to make EA and related information\n      security decisions;\n\n   8. Create a Departmentwide EA that is consistent with OMB and GAO\xe2\x80\x99s\n      frameworks and meets the requirements of the Clinger-Cohen Act.\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nWe provided the Department\xe2\x80\x99s OCIO with a draft of this report on\nFebruary 8, 2012, and received its written response on March 21, 2012, which is\nincluded in its entirety as an appendix to this report. In its response, OCIO\nconcurred with recommendations 1, 2, 3, 6, and 8. Due to funding constraints,\nOCIO partially concurred with recommendations 4, 5, and 7. Once funding is\nobtained, OCIO plans to take actions to address these recommendations.\n\x0c                                                                             14\n\n\nACTIONS REQUIRED\n\nWe consider OCIO\xe2\x80\x99s planned actions and target dates responsive to all our\nrecommendations and consider them resolved but open pending completion of the\nplanned actions. We appreciate the courtesies and cooperation of the Department\nof Transportation\xe2\x80\x99s representatives during this audit. If you have any questions\nconcerning this report, please call me at (202) 366-4350.\n\n                                       #\n\ncc: Martin Gertel, M-1\n\x0c                                                                                15\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\n\nWe reviewed applicable Department policies, procedures and management\npractices; laws, regulations, and guidelines that address EA and CPIC; and,\nDepartmentwide and component documentation. Because of its formal waiver for\nEA from OCIO, SLSDC was exempted from our assessment of EA but were\nincluded in the IT investment review. We reviewed and assessed DOT\xe2\x80\x99s EA tools,\nincluding DOT\xe2\x80\x99s SharePoint Website and FAA\xe2\x80\x99s KSN website, to review relevant\ncontent within components\xe2\x80\x99 EAs and determined if the Department had\nimplemented and maintains an automated EA modeling tools. We also reviewed\nEA investments and documentation (IT modernization plans/blueprints) by\nreviewing components\xe2\x80\x99 investments and determined alignment to DOT EA. In\naddition, we reviewed all component IT investment governance practices and\nassess their Capital Planning Investment Control (CPIC) program to determine if\ninformation security is effectively addressed in the IT Investment Management.\nWe interviewed key personnel, including contractors, at OST, OCIO, and DOT\xe2\x80\x99s\ncomponent. We conducted site visits at DOT Headquarters in Washington, D.C.\nAdditionally, we reviewed prior GAO and DOT reports and evaluated progress\nreported on the implementation of recommendations.\n\nIn our evaluation of the Department\xe2\x80\x99s current and target EA development, and\nquality of the EA program, we used OMB and GAO guidance, and NIST SP\nseries. For instance, OIG used as a benchmark GAO\xe2\x80\x99s A Framework for Assessing\nand Improving Enterprise Architecture Management to determine if the\nDepartment satisfied all 59 core elements for the development, maintenance, and\nuse of an EA. OIG also used OMB\xe2\x80\x99s EA Framework, which consists of three\ncapability areas: 1) completion; 2) use; and 3) results. OMB\xe2\x80\x99s capability area\nrepresentations of the critical success attributes are fundamentally aligned and\nsubstantially consistent to GAO\xe2\x80\x99s core elements. See Exhibit C for the 59 core\nelements, the three capability areas, and our aggregate assessment of DOT\ncomponents\xe2\x80\x99 EA programs.\n\nThis performance audit was conducted at DOT and FAA Headquarters in\nWashington, D.C., in accordance with generally accepted Government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                                                    16\n\n\nEXHIBIT B. DOT COMPONENT ENTERPRISE ARCHITECTURE\nFUNDING SUMMARY\n                                                                   Enterprise Architecture\n                                                                           Funding\n                                                                  FY 2010 &      FY 2011 and\n                     a\n DOT Components                                                    Earlier         beyond\n                                                                  (millions)      (millions)\n\n Federal Aviation Administration (FAA)                                     $19               $14\n\n Federal Highway Administration (FHWA)                                        1                .4\n\n Federal Motor Carrier Safety Administration (FMCSA)                          3                .5\n\n Federal Railroad Administration (FRA)                                        2               4.3\n\n Federal Transit Administration (FTA)                                       1.6                .7\n\n Maritime Administration (MARAD)                                              5                .1\n\n National Highway Traffic Safety Administration (NHTSA)                     4.8               3.1\n\n Office of Inspector General (OIG)                                            0                 0\n\n Office of the Secretary (OST)                                              12                1.9\n Pipeline and Hazardous Materials Safety Administration                                     Not\n (PHMSA)                                                         Not Reported          Reported\n Research and Innovative Technology Administration\n (RITA)                                                                       0                 0\n Saint Lawrence Seaway Development Corporation\n (SLSDC)                                                                      0                 0\n\n Surface Transportation Board (STB)                                          .1               .06\n\n           Total                                                         $48                 $25\nSource: WorkLenz as of March 13, 2011\na\n  For purposes of reporting under EA, we consider "DOT Components" to include all organizations listed\n  above.\n\n\n\n\nExhibit B. DO T Component Enterprise Architecture Fundi ng Summar y\n\x0c                                                                                                                    17\n\n\nEXHIBIT C. ASSESSMENT OF DOT\xe2\x80\x99S ENTERPRISE\nARCHITECTURE (EA) EFFORTS AGAINST GAO\xe2\x80\x99S EA\nMANAGEMENT MATURITY FRAMEWORK\nMaturity         GAO Core         OMB              Description                                      Satisfied?\nStage                    16       Capability                                                        (Yes, No,\n                 Element\n                                       17                                                                    18\n                                  Area                                                              Partial)\n\n       0         Creating EA Awareness\n\n       1         Establishing EA Institutional Commitment and Direction\n                       1               Use         Written and approved organization                     Partial\n                                                   policy exists for EA development,\n                                                   maintenance, and use.\n\n                       2               Use         Executive committee representing the                    No\n                                                   enterprise exists and is responsible\n                                                   and accountable for EA.\n                       3               Use         Executive committee is taking                         Partial\n                                                   proactive steps to address EA cultural\n                                                   barriers.\n                       4               Use         Executive committee members are                         No\n                                                   trained in EA principles and concepts.\n                       5               Use         Chief architect exists.                               Partial\n\n                       6               Use         EA purpose is clearly stated.                           No\n\n                       7               Use         EA framework(s) is adopted.                            Yes\n\n                       8            Results        EA performance and accountability                       No\n                                                   framework is established.\n       2         Creating the Management Foundation for EA Development and Use\n                       9               Use         EA budgetary needs are justified and                    No\n                                                   funded.\n                      10               Use         EA program office(s) exists.                            No\n\n\n\n16\n     GAO-10-846G\n17\n     This representation reflects the three capability areas that are provided for in OMB\xe2\x80\x99s EA Assessment Framework.\n     As such, this representation demonstrates how GAO and OMB\xe2\x80\x99s EA frameworks are fundamentally aligned and\n     substantially consistent. The three capability areas and OMB\xe2\x80\x99s definition of each are as follows: Completion: The\n     extent to which an agency has developed an integrated, organization wide architecture, in terms of business,\n     performance, data, services, technology, and security, as well as a comprehensive enterprise transition plan. Use:\n     The extent to which the agency has established key management practices, processes, and policies needed for\n     developing, maintaining, and overseeing its architecture, and for demonstrating both the importance of architecture\n     awareness and the value of employing architecture practices; it also assesses the extent of the agency\xe2\x80\x99s use of its\n     architecture to inform strategic planning, program performance improvement planning, information resources\n     management, IT management, and capital planning and investment control processes. Results: The extent to which\n     the agency is measuring the effectiveness and value of its architecture activities by assigning performance\n     measurements to its architecture and related processes, and reporting on actual results to demonstrate architecture\n     success.\n18\n     To determine the results, we aggregated our assessment of the DOT components\xe2\x80\x99 EA against GAO\xe2\x80\x99s core elements\n     and OMB\'s capability areas.\n\nExhibit C. Assessment of DOT\'s Enterprise Architecture (EA) Efforts Against\nGAO\xe2\x80\x99s EA Management Maturity Framework\n\x0c                                                                                             18\n\n\nMaturity   GAO Core     OMB           Description                              Satisfied?\nStage              16   Capability                                             (Yes, No,\n           Element                                                                      18\n                             17\n                        Area                                                   Partial)\n               11           Use       Key program office leadership                  No\n                                      positions are filled.\n               12           Use       Program office human capital plans             No\n                                      exist.\n               13           Use       EA development and maintenance               Partial\n                                      methodology exists.\n               14           Use       Automated EA tools exist.                    Partial\n\n               15           Use       EA program management plan exists            Partial\n                                      and reflects relationships with other\n                                      management disciplines.\n              16            Use       Work breakdown structure and                 Partial\n                                      schedule to develop EA exist.\n              17        Completion EA segments, federation members,                Partial\n                                      and/or extended members have been\n                                      identified and prioritized.\n              18          Results     Program office readiness is measured           No\n                                      and reported.\n   3       Developing Initial EA Versions\n              19            Use       Organization business owner and                No\n                                      CXO representatives are actively\n                                      engaged in architecture development.\n               20           Use       EA human capital plans are being               No\n                                      implemented.\n               21           Use       Program office contractor support              No\n                                      needs are being met.\n               22           Use       Program office staff are trained in EA         No\n                                      framework, methodology, and tools.\n               23           Use       Methodologies and tools exist to               No\n                                      determine investment compliance\n                                      with corporate and subordinate\n                                      architectures.\n               24           Use       Methodologies and tools exist to               No\n                                      determine subordinate architecture\n                                      alignment with the corporate EA.\n               25           Use       EA-related risks are proactively               No\n                                      identified, reported, and mitigated.\n               26       Completion    Initial versions of corporate \xe2\x80\x9cas-is\xe2\x80\x9d        Partial\n                                      and \xe2\x80\x9cto-be\xe2\x80\x9d EA and sequencing plan\n                                      are being developed.\n               27       Completion    Initial version of corporate EA              Partial\n                                      describing the enterprise in terms of\n                                      performance, business, data,\n                                      services, technology, and security is\n                                      being developed.\n               28       Completion    One or more segment and/or                   Partial\n                                      federation member architectures are\n                                      being developed.\n               29       Completion    Architecture products are being               Yes\n\nExhibit C. Assessment of DOT\'s Enterprise Architecture (EA) Efforts Against\nGAO\xe2\x80\x99s EA Management Maturity Framework\n\x0c                                                                                              19\n\n\nMaturity   GAO Core     OMB          Description                                Satisfied?\nStage              16   Capability                                              (Yes, No,\n           Element                                                                       18\n                             17\n                        Area                                                    Partial)\n                                     developed according to the EA\n                                     content framework.\n               30       Completion   Architecture products are being                  No\n                                     developed according to a defined EA\n                                     methodology.\n               31       Completion   Architecture products are being                  No\n                                     developed using EA tools\n               32        Results     Architecture development progress is             No\n                                     measured and reported.\n   4       Completing and Using an Initial EA Version for Targeted Results\n               33          Use       Executive committee has approved                 No\n                                     the initial version of corporate EA.\n               34          Use       Key stakeholders have approved the               No\n                                     current version of subordinate\n                                     architectures.\n               35          Use       EA is integral to the execution of other         No\n                                     institutional management disciplines.\n               36          Use       Program office human capital needs               No\n                                     are met.\n               37       Completion   Initial versions of corporate \xe2\x80\x9cas-is\xe2\x80\x9d          Partial\n                                     and \xe2\x80\x9cto-be\xe2\x80\x9d EA and sequencing plan\n                                     exist.\n               38       Completion   Initial version of corporate EA                  No\n                                     captures performance, business,\n                                     data, services, technology, and\n                                     security views\n               39       Completion   One or more segment and/or                       No\n                                     federation member architectures exist\n                                     and are being implemented.\n               40        Results     EA product quality is measured and               No\n                                     reported.\n               41        Results     EA results and outcomes are                      No\n                                     measured and reported.\n               42        Results     Investment compliance with corporate             No\n                                     and subordinate architectures is\n                                     measured and reported.\n               43        Results     Subordinate architecture alignment               No\n                                     with the corporate EA is measured\n                                     and reported.\n   5       Expanding and Evolving the EA and Its Use for Institutional Transformation\n               44          Use       Organization head has approved                   No\n                                     current version of the corporate EA.\n               45          Use       Organization component heads or                Partial\n                                     segment owners have approved\n                                     current version of their respective\n                                     subordinate architectures.\n               46          Use       Integrated repository tools and                  No\n                                     common EA framework and\n\n\nExhibit C. Assessment of DOT\'s Enterprise Architecture (EA) Efforts Against\nGAO\xe2\x80\x99s EA Management Maturity Framework\n\x0c                                                                                            20\n\n\nMaturity   GAO Core     OMB          Description                              Satisfied?\nStage              16   Capability                                            (Yes, No,\n           Element                                                                     18\n                             17\n                        Area                                                  Partial)\n                                     methodology are used across the\n                                     enterprise.\n               47          Use       Corporate and subordinate                      No\n                                     architecture program offices operate\n                                     as a single virtual office that shares\n                                     resources enterprisewide.\n               48       Completion   Corporate EA and sequencing plan               No\n                                     are enterprisewide in scope.\n               49       Completion   Corporate EA and sequencing plan               No\n                                     are aligned with subordinate\n                                     architectures.\n               50       Completion   All segment and/or federated                   No\n                                     architectures exist and are\n                                     horizontally and vertically integrated\n               51       Completion   Corporate and subordinate                      No\n                                     architectures are extended to align\n                                     with external partner architectures.\n               52        Results     EA products and management                     No\n                                     processes are subject to independent\n                                     assessment.\n           Continuously Improving the EA and Its Use to Achieve Corporate\n   6\n           Optimization\n               53          Use       EA is used by executive leadership to          No\n                                     inform organization strategic planning\n                                     and policy formulation.\n               54          Use       EA human capital capabilities are              No\n                                     continuously improved.\n               55          Use       EA methodologies and tools are                 No\n                                     continuously improved.\n               56          Use       EA management processes are                    No\n                                     continuously improved and reflect the\n                                     results of external assessments.\n               57       Completion   EA products are continuously                   No\n                                     improved and updated.\n               58        Results     EA quality and results measurement             No\n                                     methods are continuously improved.\n               59        Results     EA continuous improvement efforts              No\n                                     reflect the results of external\n                                     assessments.\nSource: OIG generated using GAO and OMB EA frameworks.\n\n\n\n\nExhibit C. Assessment of DOT\'s Enterprise Architecture (EA) Efforts Against\nGAO\xe2\x80\x99s EA Management Maturity Framework\n\x0c                                                                  21\n\n\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\nName                                    Title\n\nLouis C. King                           Former Program Director\n\nMichael Marshlick                       Project Manager\n\nMartha Morrobel                         Information Technology\n                                        Specialist\n\nSusan Neill                             Writer-Editor\n\n\n\n\nExhibit D. Major Contributors to this Report\n\x0c                                                                                       22\n\n\nAPPENDIX. AGENCY COMMENTS\n\n\n\n\n  DOT Refocusing Action on Enterprise Architecture\n\n  The Office of the Chief Information Officer (OCIO) is making substantive changes to\n  the enterprise architecture (EA) program in conjunction with ongoing enhancements in\n  the areas of Capital Planning & Investment Control (CPIC), and IT Governance. This\n  renewed focus is intended to provide compliance with the new EA direction the Office\n  of Management and Budget (OMB) is proposing and to address the issues identified in\n  the OIG draft report.\n\n  Specifically, OCIO has actions underway to realign architecture under the Office of the\n  Chief Technology Officer to bring together technical, data, enterprise and solutions\n  architectures under one umbrella and into a common architectural fabric. This action\n  is expected to benefit the development of all our systems as well and provide visibility\n  into opportunities to consolidate and rationalize the Department\xe2\x80\x99s IT portfolio. This\n  realignment, coupled with the tight integration of architecture with the Technology\n  Control Board (TCB) and the testing labs, will allow DOT to keep the target\n  architecture as the driving force behind future IT investment choices and influence\n  acquisition decisions.\n\n\n\nAppendix. Agency Comments\n\x0c                                                                                         23\n\n\n  Given the availability of a relatively fixed set of resources, these efforts to provide a\n  structured portfolio management process will necessitate the use of resources that may\n  have been used elsewhere, and will require the application of a prioritized approach to\n  action on the OIG recommendations.\n\n  In order to offer transparency as to the priority OCIO is assigning to the OIG\n  recommendations, we established the following:\n\n         \xef\x82\xb7 Ranking A: Recommendations will receive the highest priority and OCIO\n           commits to work with the OAs to achieve the results.\n\n         \xef\x82\xb7 Ranking B: Recommendations will be evaluated for inclusion in upcoming\n           budget cycles. Implementation will commence only when funding is\n           secured.\n\n         \xef\x82\xb7 Ranking C: Based on the priority of compliance with direction from OMB,\n           along with other priority use of funding and staffing, these actions would be\n           addressed after priority A and B are completed or if there were an\n           unexpected surfeit of funds.\n\n  RECOMMENDATIONS AND RESPONSE\n\n  Recommendation 1: Develop and/or revise the Department\'s EA policy and\n  procedures to address the following:\n\n    a. Development, maintenance, and use of EA in the IT investment process.\n\n    b. Incorporation of the Department\'s Governance groups into the CPIC and\n       Enterprise Architecture processes to provide oversight and improved decision\n       making relating to IT investments, including security funding.\n\n    c. Creation of a standardized methodology that provides reliable estimates of\n       security funding needed for system investments.\n\n    d. Development and implementation of performance measures to gauge the\n       Department\'s application of EA, including investments in system security.\n\n    e. Tracking and formal documentation of EA changes.\n\n\n  Response: Concur. OCIO will update the DOT overarching policy to:\n\n\n\n\nAppendix. Agency Comments\n\x0c                                                                                                                       24\n\n\n           \xef\x82\xb7 Assert that the Federal Segment Architecture Methodology, Version 1.0\n             (FSAM v1.0) is the preferred architectural development methodology. This\n             process will address items a, c, and e above, along with all appropriate\n             requirements and guidance19. These recommendations are considered priority\n             ranking A and are intended to be completed by October 30, 2012. With regard\n             to item b, formally integrating the EA and CPIC programs, OCIO intends to\n             incorporate a portfolio management approach in revising its policy. This\n             recommendation is considered priority ranking A and is intended to be\n             completed by May 1, 2013.\n           \xef\x82\xb7 With regard to item d, we consider the implementation measures of getting the\n             policy and procedures in place to be the priority actions necessary to achieve\n             compliance with the OMB requirements and to make significant headway on\n             key issues identified by OIG. As a result, at this time we consider creating\n             performance measures to be a C level priority and would have to defer any\n             commitment to implementation at this time to FY 2014 or FY 2015.\n\n      Recommendation 2: Assist components in the selection and implementation of\n      compatible EA tools that will facilitate the creation of a departmentwide EA.\n\n      Response: Concur. OCIO will request documentation for each current OA EA tool\n      set and conduct an assessment to determine if one of the existing tools has the\n      capability to support the entire Department. If we determine that none of the tools can\n      be utilized for the entire Department, OCIO will conduct an analysis of available tools\n      seek alternatives. This recommendation is considered priority ranking A, and is\n      intended to be completed by May 1, 2013.\n\n\n      Recommendation 3: Input the required data (such as business processes, workflows,\n      and technology in use) in the selected EA tools to develop or update current and future\n      architectures and transition plans.\n\n      Response: Concur. As described above, adopting FSAM as the Department standard\n      and assisting with the adoption compatible EA tools by all OAs will help address this\n      finding. OCIO will also work with OST program offices and modal administrations to\n      develop and maintain the Department\xe2\x80\x99s current state and proposed future state\n      architectures and make appropriate changes as the target state evolves. The resulting\n      EA models will be developed in an iterative manner, following FSAM best practices.\n      This recommendation is considered priority ranking B and will be evaluated for\n      inclusion in the upcoming budget cycle but will not be implemented until funding is\n      secured.\n\n19\n     The FSAM Web site (http://www.fsam.gov) provides guidance and templates for Enterprise Architects, CPIC Professionals,\n     Security Professionals, Solution Architects, and Business Owners\n\n\nAppendix. Agency Comments\n\x0c                                                                                        25\n\n\n  Recommendation 4: Develop and implement a departmentwide data management\n  practice that provides a common data dictionary that reflects commonalities in data\n  and processes and provide methods for sharing information across the Department.\n\n  Response: Concur in part. OCIO will evaluate alternative methods and best practices\n  for data dictionaries and implement planning for a future build that will ultimately\n  conform to the National Information Exchange Model (NIEM) standard. This will\n  allow for an iterative adoption of standard data elements as the final solution is being\n  implemented. This recommendation is considered priority ranking B and will be\n  evaluated for inclusion in the upcoming budget cycle but will not be implemented until\n  funding is secured.\n\n\n  Recommendation 5: Develop a process to measure components\xe2\x80\x99 EA programs\'\n  maturity and effectiveness using key framework elements outlined in OMB\'s\n  Enterprise Architecture, and develop a plan to remediate any gaps, or deficiencies\n  found.\n\n  Response: Concur in part. While OCIO recognizes the potential to improve\n  measurement of OA EA efforts using established maturity models, such action is\n  significantly lower priority than taking the actions necessary to implement consistent\n  policy and procedures across the Department, to achieve compliance with OMB\n  requirements. As a result, at this time we consider creating measures to be a C level\n  priority and would have to defer any commitment to implementation at this time to FY\n  2014 or FY 2015.\n\n\n  Recommendation 6: Develop a plan and work with the components to identify\n  redundancy in current operations and technology use across the Department.\n\n  Response: Concur. Redundancy can be eliminated at many layers of the IT portfolio,\n  not solely at the IT system or application level. By implementing the EA standards\n  from FSAM and leveraging the Integrated Planning and Project Management (IPPM)\n  framework, the foundation will be established for progress in reducing duplication. In\n  response to this recommendation, a plan will be developed to analyze the existing EA\n  framework in a segmented review and identify similar OA systems to partner, share\n  services, eliminate redundancy and leverage licensing agreements. This\n  recommendation is considered priority ranking A, and is intended to be completed by\n  May 1, 2013.\n\n\n  Recommendation 7: Identify and report EA performance measure results, outcomes\n  and progress to DOT\'s Governance groups and decision makers to ensure that they\n\n\nAppendix. Agency Comments\n\x0c                                                                                          26\n\n\n  have the proper information to make EA and related information security decisions.\n\n  Response: Concur in part. As indicated in the response to Recommendation 5 above,\n  while OCIO recognizes the potential to improve measurement of EA efforts, such\n  action is a significantly lower priority than taking the actions necessary to implement\n  consistent policy and procedures across the Department, to achieve compliance with\n  OMB requirements. As a result, at this time we consider creating measures to be a C\n  level priority and would have to defer any commitment to implementation at this time\n  to FY 2014 or FY 2015.\n\n\n  Recommendation 8: Create a department wide EA that is consistent with OMB and\n  GAO\xe2\x80\x99s frameworks and meets the requirements of the Clinger-Cohen Act.\n\n  Response: Concur. As stated above, OCIO is making a renewed commitment to have\n  a department-wide enterprise architecture program that combines the disciplines of\n  technical, data, solutions and enterprise architecture under a single division. This\n  integration is expected to bring dramatic efficiencies to the current process. The OCIO\n  commits to identifying the necessary tools and personnel necessary through\n  realignment and to forming Integrated Program Teams (IPT) that include\n  representation from all impacted OAs. This will ensure that the target architecture is\n  built according to the Department\xe2\x80\x99s requirements.\n\n  The OCIO commits to producing an EA policy that complies with OMB\xe2\x80\x99s\n  requirements in addition to addressing capital planning, new technologies, and\n  streamlined service delivery to the OAs. This policy and improvements to the various\n  elements of the program will be supported by a more robust governance process that is\n  currently under development and review.\n\n  OCIO has many actions underway to support the IG\xe2\x80\x99s recommendations. An OCIO\n  reorganization request is in process, policy elements have been drafted, and tools will\n  be assessed as a part of the integrated program. All of these efforts will lead to a fully\n  integrated program. This recommendation is considered priority ranking A, and is\n  intended to be completed by May 13, 2013.\n\n  OCIO has designated the senior accountable official to be Larry Slaughter, Acting\n  CTO, for all the recommendations above. He can be reached at\n  Larry.Slaughter@dot.gov or 202-366-0132. All requests for information going\n  forward should be addressed to Mr. Slaughter.\n\n\n\n\nAppendix. Agency Comments\n\x0c'